SSL Termination on Cloud Load Balancers
What is SSL Termination?
SSL Termination is a new feature available for Cloud Load Balancers that allows for the termination of secure traffic at the load balancer once the load balancer is configured for it. Without this feature enabled, secure traffic is decrypted only by the webserver which holds the SSL certificate. With this feature enabled, customers can now balance SSL traffic over multiple Cloud Servers. This can amount to a significant performance increase when dealing with high-volume SSL traffic.
How is SSL traffic normally handled?
Secure traffic comes in to your site over an encrypted SSL connection, and it must be decrypted by the webserver which holds the SSL certificate. The Cloud Load Balancer passes all traffic directly to the Cloud Server with the corresponding SSL certificate, placing the burden of the decryption on that server alone. This is because each device (Cloudserver or Cloud Load Balancer) handling traffic through an SSL connection requires either its own SSL certificate or a Licensed Certificate Option.
What are the benefits of using SSL Termination on the Cloud Load Balancer?
With SSL Termination the traffic is decrypted at the Cloud Load Balancer, and unencrypted traffic can now be distributed to one or more Cloud Servers to be processed.
Other benefits include:
- The ability to configure a load balancer that accepts both secure & unsecured traffic, or secure traffic only.
- Can be a less expensive option compared to a dedicated F5 load balancer solution.
- Another alternative to using HA Proxy with Cloud Servers.
Do Cloud Load Balancers Support SSL Termination?
Yes, SSL Termination on Cloud Load Balancers is supported via the API and the Cloud Control Panel. SSL Termination can be established through the Load Balancer detail screen in the Cloud Control Panel.
SSL Termination allows users to have their secure traffic terminate at the load balancer with centralized certificate management. Features of this service include: SSL acceleration for improved throughput, reduced CPU load at the application level for better performance, and HTTP/HTTPS session persistence. SSL Termination should not be used when transferring certain types of Personally Identifiable Information (PII).
What are the security concerns?
After SSL Termination decrypts the data at the Cloud Load Balancer it passes the unencrypted data to any nodes that are configured for that device. If you have nodes that are not in the same datacenter as the SSL-enabled load balancer, that unencrypted data will be sent over the public internet to those nodes. Therefore we recommend you use an SSL-enabled load balancer only with nodes that reside in the same datacenter as the load balancer. Their proximity allows the load balancer to use the nodes’ private IP addresses (the servicenet) to limit unencrypted traffic to within the datacenter’s network, as illustrated below.
What is ServiceNet?
ServiceNet is an internal only, multi-tenant network connection within each Rackspace datacenter. ServiceNet IPs are not accessible from the public Internet and are local per datacenter. Rackspace customers may configure their account resources to utilize a ServiceNet IP address so that traffic over the internal network is not billed.
- Additional fees apply when SSL Termination is enabled.
- SSL Termination is available to Rackspace Cloud Load Balancer customers in the US and UK with a valid SSL certificate/intermediate certificate and associated private key.
- SSL Termination cannot be enabled when a Cloud Load Balancer is provisioned, it must be configured on exisiting Load Balancers by issuing a command through the API. Read our Developer's Guide to learn how to configure SSL Termination on an existing Cloud Load Balancer through the API.
© 2014 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License
See license specifics and DISCLAIMER